Cloud Sentry Blog https://cloudsentry.evident.io Powered by Evident.io Tue, 17 Jan 2017 17:27:41 +0000 en-US hourly 1 https://wordpress.org/?v=4.6.2 ../wp-content/uploads/2016/08/cropped-evident-shield-512-32x32.png Cloud Sentry Blog https://cloudsentry.evident.io 32 32 Elasticsearch Now In the Crosshairs – MongoDB Ransom Attackers Have New Targets ../elasticsearch-now-in-the-crosshairs-mongodb-ransom-attackers-have-new-targets/ ../elasticsearch-now-in-the-crosshairs-mongodb-ransom-attackers-have-new-targets/#respond Tue, 17 Jan 2017 17:16:37 +0000 ../?p=1249 As if the MongoDB sacking fiasco wasn’t enough, bored attackers have added ransacking of open AWS Elasticsearch clusters to their list. Late last week (and who knows how long before that), they began attacking Elasticsearch domains with open access policies. Access and permissions to AWS Elasticsearch domains is controlled via resource-based policies. AWS recommends that... Read more »

The post Elasticsearch Now In the Crosshairs – MongoDB Ransom Attackers Have New Targets appeared first on Cloud Sentry Blog.

]]>

As if the MongoDB sacking fiasco wasn’t enough, bored attackers have added ransacking of open AWS Elasticsearch clusters to their list. Late last week (and who knows how long before that), they began attacking Elasticsearch domains with open access policies. Access and permissions to AWS Elasticsearch domains is controlled via resource-based policies.

AWS recommends that you don’t use an open access policy on your Elasticsearch domain, except for when testing with non-production data. We would go as far as to say that testing with an open access policy shouldn’t ever be practiced period. Our experience shows that development and pre-production environments are ripe for exploitation due to the lower security hygiene and less/lack of monitoring placed on them. What’s even worse is we sometimes think it’s easy to test in pre-production with real customer data (please DO NOT do that! or if you must, always make sure you anonymize).

Evident.io takes these types of exploits in the wild very seriously. In order for our customers to identify, remediate and monitor for Elasticsearch domains with open access policies, we have released an Evident Security Platform (ESP) custom signature in our open-source repo: https://github.com/EvidentSecurity/custom_signatures/blob/master/elastic_search_open_access_policy.rb

We recommend that everyone that uses AWS Elasticsearch install and activate this ESP custom signature immediately. Instructions for creating a custom signature are here: http://docs.evident.io/#custom-signatures.

If you have any questions installing this custom signature, please email support@evident.io.

—The Evident.io Team

PS – Not yet an Evident.io customer? You can try ESP free for 14 days  and start securing your cloud infrastructure within minutes. Get started now to see if you have any high priority risks in your AWS environment.

The post Elasticsearch Now In the Crosshairs – MongoDB Ransom Attackers Have New Targets appeared first on Cloud Sentry Blog.

]]>
../elasticsearch-now-in-the-crosshairs-mongodb-ransom-attackers-have-new-targets/feed/ 0
The Big Cloud Security Skills In-demand Right Now ../the-big-cloud-security-skills-in-demand-right-now/ ../the-big-cloud-security-skills-in-demand-right-now/#respond Fri, 13 Jan 2017 23:11:17 +0000 ../?p=1244 Whenever one looks at the cybersecurity job market, there’s never a lack of speculation as to the shortage of cybersecurity skills. And I don’t recall recently speaking with a chief information security officer who thought it was easy to find security talent. Consider a recent report from the Center for Strategic and International Studies titled... Read more »

The post The Big Cloud Security Skills In-demand Right Now appeared first on Cloud Sentry Blog.

]]>

Whenever one looks at the cybersecurity job market, there’s never a lack of speculation as to the shortage of cybersecurity skills. And I don’t recall recently speaking with a chief information security officer who thought it was easy to find security talent.

Consider a recent report from the Center for Strategic and International Studies titled Hacking Skills Shortage. This study found that a majority of the 775 IT decision-makers surveyed believe that their organizations lack workers with the necessary cybersecurity skills. About a third of these respondents believe this cybersecurity-skill shortage is so severe that it makes them hacking targets.

Don’t expect this cybersecurity-skills-demand gap to close any time soon. According to the 2015 (ISC)2 Global
 Information Security Workforce Study conducted by Frost & Sullivan, there will be a staggering 1.5-million-person global cybersecurity worker shortfall in 2020.

This is good news if you are a job seeker, especially if you have the right set of security skills that employers need now. And with that in mind, I have been asking, quite informally, CISOs and CIOs over the past few weeks what cloud security skills they see as the most in demand in the near future. The skills I list below are the cloud security skills that came up repeatedly in these discussions.

Cloud Security Architects

Those who can manage cloud security assurance processes understand how to review cloud vendor proposals, and vet planned deployments will be in high demand. Individuals involved in this type of work, such as cloud security architects, need to have strong communication skills to communicate with technical teams and business units alike. They need a good understanding of IT regulatory controls, privacy controls, and data security processes and controls. They must also be adept in many different types of technologies that intersect with the cloud, including networking, firewalls, encryption, identity management, virtualization, DevOps practices, and many other technologies depending on the nature of the organization and its technology needs.

They must also be expert at migrating legacy on-premises systems to the cloud. Organizations need to know how to choose secure cloud apps and services and know how to securely move systems to public and hybrid clouds.

Cloud regulatory and policy compliance expertise

As more applications, storage, and networks move to the cloud, more regulated data is sure to follow. Enterprises are going to need to understand where their regulated data resides, how it is managed, how is the data secured, and how the security and regulatory compliance management of the data can be verified, as well as provided to regulators and auditors if need be.

Not only must the individuals in these security and compliance roles understand the technologies behind security and compliance controls – such as vulnerability and configuration management, encryption, change management and more –they must also understand SLAs and how to parse complex cloud services contracts, how to negotiate these contracts, or how to help those who will be negotiating in their organization to better negotiate with cloud service providers.

Security data analysis

Increasingly good security is about good insight about what is happening within and without cloud services and software-defined networks. This requires good data and the ability to analyze that data. Most of that security data today is gleaned from within application, server, and network logs, behavior management systems, and other systems.

Skills that will be in demand here will be understanding how to analyze structured and unstructured data, and platforms such as data processes frameworks like Hadoop, predictive model development, decision modeling, and working with advanced visualization.

Secure cloud application development

As enterprises continue their digital transformation efforts, they will be developing more applications for cloud than ever before. And to meet app demand, they’ll continue to implement and optimize their continuous development pipelines. This increases demand for application security experts and those who can also automate tests in continuous development and integration pipelines.

Organizations are going to need more help when it comes to training and coaching development teams to develop applications more securely.  

Of course, these skills will also be in demand for years to come, and likely help build the foundation for any long-term career in cloud security.

The post The Big Cloud Security Skills In-demand Right Now appeared first on Cloud Sentry Blog.

]]>
../the-big-cloud-security-skills-in-demand-right-now/feed/ 0
PagerDuty Incident Response Guide to Avoid the 3 AM Call ../pagerduty-incident-response-guide-to-avoid-the-3-am-call/ ../pagerduty-incident-response-guide-to-avoid-the-3-am-call/#respond Thu, 05 Jan 2017 18:20:18 +0000 ../?p=1224 No one likes a 3 AM phone call, it doesn’t matter if you’re running for President or if you’re the lead DevSecOps engineer. Unless you’re prepared, 3 AM phone calls generally suck. Running Evident.io’s ESP will help prevent those dreaded 3 AM phone calls from happening. Prepared AWS enterprises will do everything in their power... Read more »

The post PagerDuty Incident Response Guide to Avoid the 3 AM Call appeared first on Cloud Sentry Blog.

]]>

No one likes a 3 AM phone call, it doesn’t matter if you’re running for President or if you’re the lead DevSecOps engineer. Unless you’re prepared, 3 AM phone calls generally suck.

Running Evident.io’s ESP will help prevent those dreaded 3 AM phone calls from happening. Prepared AWS enterprises will do everything in their power to mitigate potential downtime.

Our partners at PagerDuty recently released a version of their incident response guidewhich covers pretty much everything from preparing to go on-call, definitions of severities, incident call etiquette, how to run a post-mortem, providing a post-mortem template, and they even include their security incident response process.

I’d encourage you to check it out, even if it’s just a refresher of the best practices you’ve already got in place.

PagerDuty Incident Response Guide

 

The post PagerDuty Incident Response Guide to Avoid the 3 AM Call appeared first on Cloud Sentry Blog.

]]>
../pagerduty-incident-response-guide-to-avoid-the-3-am-call/feed/ 0
Cybersecurity, Regulatory Compliance and the Big Senior Management Disconnect ../cybersecurity-regulatory-compliance-and-the-big-senior-management-disconnect/ ../cybersecurity-regulatory-compliance-and-the-big-senior-management-disconnect/#respond Tue, 03 Jan 2017 20:16:03 +0000 ../?p=1209 When it comes to cybersecurity and regulatory compliance some things never change. Despite the increasingly higher fines being levied and rising number of data breaches and more stringent government and industry regulations, too many C-level executives and senior-level managers remain out of touch when it comes to understanding data security, privacy, and regulatory compliance. This... Read more »

The post Cybersecurity, Regulatory Compliance and the Big Senior Management Disconnect appeared first on Cloud Sentry Blog.

]]>

When it comes to cybersecurity and regulatory compliance some things never change.

Despite the increasingly higher fines being levied and rising number of data breaches and more stringent government and industry regulations, too many C-level executives and senior-level managers remain out of touch when it comes to understanding data security, privacy, and regulatory compliance.

This makes it quite challenging for security professionals because, without C-Level executive leadership behind cybersecurity efforts, it is way too easy for these efforts to simply be shoved aside. Who wants to have to deal with threat modeling new services, checking contracts for security obligations, putting in place good access control, or making sure applications are developed as securely as is reasonably possible? All these things do is bog projects down…

Of course, if an organization wants to remain secure such measures are essential. But the natural tendency of people and teams is the same as water: it’ll travel the path of least resistance unless guided otherwise. When it comes to cybersecurity, it’s guided not by riverbeds or plumbing but executive leadership. This is why a recent survey is so concerning.

According to the 2016 State of Compliance survey (conducted by Liaison Technologies) nearly half of the C-level executives and senior-level managers don’t know for sure what information security and privacy regulations apply to their organizations. About 500 executives and senior-level managers took part in the survey.

Additionally, and nearly as concerning, about 25 percent of survey respondents reported that they are not sure who is responsible for security and compliance in their organization and about half don’t think their data is secure in the cloud.

This kind of senior leadership and cybersecurity disconnect should surprise me, but it doesn’t. In the 2015 US State of Cybercrime Survey, conducted by PwC, CSO magazine, the CERT® Division of the Software Engineering Institute at Carnegie Mellon University, and the U.S. Secret Service found that 28 percent of respondents don’t make any presentation to their board of directors and 26 percent (one in four) have a CISO or equivalent, present to the only board annually.  

That means about 30 percent of respondents said their senior security executives were in regular contact with the board through quarterly cybersecurity presentations.

These are dismal results, of course. And they point to the long on-going discussion regarding the cybersecurity and business executive disconnect that exists – and why it is critical this disconnect be closed. As NSS Labs CEO Vikram Phatak told me for the story Top executives and cybersecurity: a fickle relationship?Board oversight is intended to keep executives focused on those things that are strategically important to an organization. As such, board involvement means that executives will see cybersecurity as one of the long-term strategic objectives they need to balance and place value on it accordingly.”

Of course, none of this is easy, or most organizations would be doing this already. And ensuring business leadership and cybersecurity goals are properly aligned will be an important topic area covered here in the next year. In the meantime, there are lessons to be learned from other industry efforts when it comes to affecting culture change.

In this story, Aligning Cybersecurity with Corporate Culture, the author cites researcher Philip Sutton’s four shifts in emphasis that characterize the evolution of workplace safety culture:

  • From an employee responsibility to a management responsibility.
  • From post-accident coping to prevention.
  • From nonsystematic management to whole system management.
  • From risk reduction to risk elimination.

“When managers took up the safety mantle—establishing and enforcing safety protocols, providing worker training, and encouraging supervisors and employees to report hazards—accidents and injuries declined sharply. Eventually, most organizations established strong workplace safety programs aimed at eliminating risk altogether,” JR Reagan, global chief information security officer, Deloitte Touche Tohmatsu Limited wrote in his post.

There’s good reason to think, as Reagan said, that such lessons learned about risk reduction from other domains should be embraced – and they need to be embraced not just by security practitioners – because they know what is at stake and largely what needs to be done. And they’re placed at a disadvantage without the proper support being in place. Because without that leadership involvement, and even a culture of security, too often cybersecurity is just something that gets in the way and so it gets pushed aside.

The post Cybersecurity, Regulatory Compliance and the Big Senior Management Disconnect appeared first on Cloud Sentry Blog.

]]>
../cybersecurity-regulatory-compliance-and-the-big-senior-management-disconnect/feed/ 0
Last Minute Security Gifts for Your Family & Friends ../last-minute-security-gifts-for-your-family-and-friends/ ../last-minute-security-gifts-for-your-family-and-friends/#respond Tue, 13 Dec 2016 19:50:02 +0000 ../?p=1149 Looking for some last minute gifts for your friends and family this year that help them stay secure online? Here’s a list of our top choices compiled from our security-minded team here at Evident.io. Password Vault Subscription How many times have you gone to your parent’s house only to see post-its with passwords all over... Read more »

The post Last Minute Security Gifts for Your Family & Friends appeared first on Cloud Sentry Blog.

]]>

Looking for some last minute gifts for your friends and family this year that help them stay secure online? Here’s a list of our top choices compiled from our security-minded team here at Evident.io.

Password Vault Subscription

How many times have you gone to your parent’s house only to see post-its with passwords all over their desk? Or, you’ve been able to guess their password in less than 3 tries? This year, think about teaching them some password best practices, and help them improve their security with a subscription to LastPass, Dashlane, or 1Password which has a cool family edition.

Antivirus Software

antivirus-softwareGive yourself a gift and give Antivirus protection to your family members who haven’t yet made the investment. Cuz you know that otherwise you’ll just be cleaning up the mess after they’ve clicked through every link that comes across their email. Some of our favorites include Bitdefender Antivirus Plus 2017, Kaspersky Antivirus (2017), Malwarebytes and Norton Security.

 

RFID Blocking Wallet or Bag

rfid-blocking-wallet-or-bag

As more of our credit cards and IoT devices get RFID chips, there is the risk that someone can access private data using a RFID reader as you enjoy your coffee or ride the train. If you are thinking about getting someone a new wallet or bag, consider one with RFID blocking capability. Some options include this men’s wallet, this ladies clutch or this awesome Pacsafe backpack. Note that not all RFID-blocking accessories are made the same, and they are no replacement for caution and safety best practices!

Internet Filtering Software


toddler-on-computerKnow some working parents who don’t have time (or energy) to monitor where the kids are going online and could really use some peace of mind?  Get them a subscription to an internet filter like
NetNanny which brings professional-level controls to home computers and devices.

It doesn’t replace talking to the kids and teaching about online dangers, but can help protect them from online predators, cyberbullying and pornography threats.

 

Webcam Coverswebcam cover

 For those of you who worry about hackers spying on your kids through their webcam, maybe you can get them a sliding webcam cover to put in their stocking. Or, block the cyber peepers today with a piece tape or post-it. We’ve got an awesome Evident.io branded webcam cover – send us a tweet and we’ll send one out to you.

Gift of Your Time

Anyone in IT will attest to spending hours helping family and friends fix laptops, printers and routers. This year, make security a top priority and give them the gift of your time to help them become more security-aware. You can start by helping implement better passwords, setting up multi-factor authentication for email and other applications with private data, and talking to them about how hackers use social engineering to get private data from them.

Whatever you end up deciding on, I’m sure it will be great. Perhaps I’m an idealist, but I think that most people just want to know that they were being remembered. Have a wonderful holiday season and be safe out there and online!

The post Last Minute Security Gifts for Your Family & Friends appeared first on Cloud Sentry Blog.

]]>
../last-minute-security-gifts-for-your-family-and-friends/feed/ 0
The Shift to Cloud Security Spend Continues ../the-shift-to-cloud-security-spend-continues/ ../the-shift-to-cloud-security-spend-continues/#respond Mon, 12 Dec 2016 18:56:58 +0000 ../?p=1140 Recent studies show that the growth in cloud and security will continue to substantially outpace the rate of growth in traditional business-technology systems. According to the Society for Information Management’s IT Trends Study, the three organizational priorities for the year are IT and alignment with the business, security, and innovation. According to the study, IT... Read more »

The post The Shift to Cloud Security Spend Continues appeared first on Cloud Sentry Blog.

]]>

Recent studies show that the growth in cloud and security will continue to substantially outpace the rate of growth in traditional business-technology systems.

According to the Society for Information Management’s IT Trends Study, the three organizational priorities for the year are IT and alignment with the business, security, and innovation. According to the study, IT and business alignment and security are also among the concerns that survey respondents found personally concerning, along with the difficulty in finding the right IT skills.

The study also found, not surprisingly, that the percentage of budget being spent on hardware and software is moving to cloud, while average IT salaries this year increased 3.5%. Overall IT budgets are down a smidgen to 4.15% from 4.6%. That’s a result, I figure, reflecting the shift from high cost on-premises capital expenditures to lower upfront and operational costed cloud services.

“The increase in cloud utilization and spending is not only associated with big reductions in the cost of keeping the IT lights on,” said Leon Kappelman, IT professor, and lead researcher of the study in a news release, “but also big increases in spending on integration and probably some of the increase in cybersecurity spending too.” In its 37th year, the Society for Information Management’s IT Trends Study is based on responses from 1,213 society members, from 801 organizations, and represented $192 billion in 2016 IT spending.

A separate study, conducted by research firm International Data Corp. (IDC), forecasts that worldwide revenues for security-related hardware, software and services will grow from roughly $74 billion in 2016 to $102 billion by 2020. IDC’s anticipated compound annual growth rate of 8.3% is about twice the growth rate identified as the overall IT budget for this year.

According to the IDC report, the business segments that will have made the largest investments in security this year include banking at roughly $8.6 billion. Banking is one of the four industries that will constitute nearly 40% of global security spending in the next five years, followed by discrete manufacturing, government, and process manufacturing. The industries that will grow the most rapidly in the next five years, each growing more than 9% annually, include: healthcare, telecommunications, utilities, state and local government, and securities and investment services.

Why is security spending accelerating so much? I suspect a large part of the investment is because many industries have to play catchup from years of neglect when it came to cybersecurity. I think another aspect of the spend is the result of a little fighting the battles of today with the strategies of yesterday when it comes to cloud security. Too many organizations are investing in legacy toolsets that have been “cloudwashed” as cloud security alternatives.

Finally, I think the skills shortage in IT generally, and cybersecurity especially, is what is driving the 45% of all security spending, in IDC’s view, going to security services, including managed security services. Also, as many enterprises do play catchup, they are investing more into security basics including endpoint security, identity and access management, and security and vulnerability management software driving more than three quarters of the category’s revenues.

Let’s just hope most of these investments are being spent wisely.

The post The Shift to Cloud Security Spend Continues appeared first on Cloud Sentry Blog.

]]>
../the-shift-to-cloud-security-spend-continues/feed/ 0
The Future of Continuous Compliance is Automation ../future-of-continuous-compliance-webinar12152016/ ../future-of-continuous-compliance-webinar12152016/#respond Wed, 07 Dec 2016 18:32:35 +0000 ../?p=1107 On-demand Webinar The demand for security professionals who analyze cloud risk and security has never been greater! Traditional approaches are no longer as effective and require new cloud security tools and technologies to become more productive. In order to build secure applications faster, security and compliance measures must be enforced at the speed of scale.... Read more »

The post The Future of Continuous Compliance is Automation appeared first on Cloud Sentry Blog.

]]>

On-demand Webinar

The demand for security professionals who analyze cloud risk and security has never been greater! Traditional approaches are no longer as effective and require new cloud security tools and technologies to become more productive. In order to build secure applications faster, security and compliance measures must be enforced at the speed of scale. Automation is essential for Modern IT organizations.

The future looks bright for DevOps as new Cloud Security platforms, automation, and self-service tools fill the gaps to overcome key challenges and bottlenecks, delivering Continuous Compliance.

Join Forrester Analyst Robert Stroud and Evident.io Solutions Architect Sebastian Taphanel to understand the key trends, challenges, and emerging solutions that portend the future of Continuous Compliance and Security in the Cloud including:

  • Key challenges in compliance and automation with Cloud Security tools
  • Cloud Security and Compliance skills that will be required in the future
  • The trend toward and need for Compliance Automation tools for DevOps
  • Risk changes over time and how to adjust your posture

VIEW ON-DEMAND WEBINAR

 

ABOUT THE SPEAKERS

Robert Stroud – Principal Analyst at Forrester Research serving Infrastructure and Operations professionals.
Rob’Robert Strouds research focuses on driving the market toward a refined approach to software-defined infrastructure development and delivery. He challenges thinking by applying DevOps and continuous delivery insights to infrastructure and cloud to assist enterprises seeking to thrive in the age of the customer. Rob has more than 25 years’ experience in the industry and has demonstrated an ability to predict changing trends in the domains of cloud computing, DevOps, service assurance, cybersecurity, governance, and risk. He also advises organizations on their strategies to ensure they drive maximum business value from their investments in technology-enabled business governance.

 

Sebastian Taphanel  – Solutions Architect at at Evident.io serving Federal Accounts.

Sebastian TaphanelSebastian’s experience is a blend a 20+ year DoD Special Ops / Intel career with 10+ years of sound security engineering practices focused on implementing ‘Defense in Depth’ through the use of innovative technologies and common sense business practices. Currently focused on helping Enterprises implement ‘Security by Design’ for their Cloud migrations.

The post The Future of Continuous Compliance is Automation appeared first on Cloud Sentry Blog.

]]>
../future-of-continuous-compliance-webinar12152016/feed/ 0
Evident Security Platform – Private SaaS Edition ../evident-security-platform-private-saas-edition/ ../evident-security-platform-private-saas-edition/#respond Tue, 06 Dec 2016 21:57:07 +0000 ../?p=1097 Businesses have a diverse set of security and privacy requirements. ESP Private SaaS Edition is the self-hosted version of the Evident Security Platform, which organizations can deploy and manage within their own, secure AWS environments. Overview The Private SaaS Edition of the Evident Security Platform has been a frequently requested hosting option from Large Enterprises,... Read more »

The post Evident Security Platform – Private SaaS Edition appeared first on Cloud Sentry Blog.

]]>

Businesses have a diverse set of security and privacy requirements. ESP Private SaaS Edition is the self-hosted version of the Evident Security Platform, which organizations can deploy and manage within their own, secure AWS environments.

Overview

The Private SaaS Edition of the Evident Security Platform has been a frequently requested hosting option from Large Enterprises, US and Foreign Banks, and US and Foreign Government Agencies. These organizations have crucial security policies and controls that need to be met with a self-hosted version of the Evident Security Platform.

Using Evident, our customers are able to: streamline the procurement process via AWS marketplace, meet data locality requirements, provide enhanced visibility, facilitate collaboration, centrally manage with flexible hierarchical role based access control, save time and mitigate risks faster via rapid deployment, enhance security with zero performance impact, and leverage existing technology investments through third party integrations.

Availability in AWS Marketplace

Compared to traditional IT procurement methods, AWS Marketplace is a new way for customers to purchase software and deploy infrastructure into their AWS environment rapidly while shortening and simplifying the procurement process.

ESP Private SaaS Edition is available both directly from Evident.io, Inc. and via the AWS Marketplace. For certain customers, the preferred method for purchasing ESP is by using the AWS marketplace, which then adds the ESP charges to their AWS bill.

Meet Data Locality Requirements

ESP Private SaaS enables organizations with specific data locality requirements around security and privacy and data locality to operate the Evident Security Platform within the AWS region that suits their needs to ensure data resides within geographic boundaries necessitated by their local laws.

For example, Australian government organizations can operate ESP out of the Sydney region, German banks can operate ESP out of the Frankfurt region, Singaporean banks can operate out of the Singapore region, and US Government organizations can operate out of the GovCloud region.

For many of our largest and most risk-averse customers this is a non negotiable purchasing requirement and they insist on operating a Private ESP infrastructure within their environments. To these customers we have built this capability and are excited to deliver a solution that meets their stringent security, privacy and compliance needs.

Provide Enhanced Visibility

ESP Private SaaS edition is deployed within a single AWS account and VPC, and can be used to continuously monitor the security and compliance of hundreds or thousands of AWS accounts, across a wide variety of AWS services.

The Evident Security Platform is a value added service that runs on top of AWS to provide enhanced and extended security visibility and control to organizations operating their workloads in the public cloud.

Centrally Manage with Flexible Hierarchical RBAC

Flexible Hierarchical Role Based Access Control (RBAC) in ESP means that multi-level organizations can maintain needed visibility into security and compliance efforts while limiting access to information on a need-to-know basis.  As organizational needs differ, this is intended to flexibly needs the needs of various organizations.

This is accomplished by allowing customers to define an RBAC scheme that fits how the lines of business within their organization operate. In some organizations, a security or compliance team maintains visibility across the entire platform while specific product teams or lines of business only have visibility into the security and compliance of their own AWS accounts.

Facilitate Collaboration

The Evident Security Platform facilitates collaboration between development and operations (DevOps) teams, security teams, and management teams by providing a single view into the security and compliance of an entire organization’s AWS footprint.

Organizations that have adopted the Evident Security Platform report that communication between teams is streamlined and risks are mitigated much faster than before. Enabling collaboration between various disciplines involved in the ongoing maintenance and operation of information systems enables our customers to innovate faster with fewer risks.

Save Time and Mitigate Faster With Rapid Deployment

To meet the needs of organizations operating under tight timelines and schedules, ESP has the ability to rapidly onboard AWS accounts into the platform for analysis. Deploying across an organization’s entire AWS footprint, even across hundreds or thousands of accounts can be done rapidly and efficiently.

Deploying ESP PSaaS Edition is possible without having to deploy a system inside of each AWS account to be monitored, and without having to reconfigure firewalls due to the design and architecture of the service. The service was designed from day one to be a capability that can be deployed across an entire organization’s AWS footprint in hours, not days or weeks.

Enhance Security With Zero Performance Impact

ESP is able to perform detailed security and compliance analysis of customer AWS accounts while having zero performance impact on the services being monitored.

Unlike agent based technologies, ESP does not require resources within your EC2 instances to operate. Our analysis is API driven and focused at the cloud infrastructure layer, meaning no software needs to be installed for this broad and deep analysis to take place.

Leverage Existing Investments and Extend Capabilities With Third Party Integrations

Integrating ESP with third party systems is a common practice, and a variety of integration methods exist to support this need. Many organizations integrate ESP with their existing SIEM solutions, such as Splunk.

The Private SaaS Edition of the Evident Security Platform supports this and all of the other third party integrations our customers have come to know and love in our public SaaS service, such as SNS, PagerDuty, ServiceNow, JIRA, and others.

The post Evident Security Platform – Private SaaS Edition appeared first on Cloud Sentry Blog.

]]>
../evident-security-platform-private-saas-edition/feed/ 0
Start Compliant, Stay Compliant ../start-compliant-stay-compliant/ ../start-compliant-stay-compliant/#respond Mon, 05 Dec 2016 21:18:17 +0000 ../?p=1083 Compliance is no longer a once & done thing. Merriam-Webster definition of “compliance” – the act or process of doing what you have been asked or ordered to do. It is no wonder that folks get defensive when compliance comes up. The conversation seems to generate audible groans also. But is it difficult to get... Read more »

The post Start Compliant, Stay Compliant appeared first on Cloud Sentry Blog.

]]>

Compliance is no longer a once & done thing.

Merriam-Webster definition of “compliance” – the act or process of doing what you have been asked or ordered to do. It is no wonder that folks get defensive when compliance comes up. The conversation seems to generate audible groans also. But is it difficult to get compliant and stay that way? It depends on many factors, but the cloud can help.

In 2004, compliance came knocking on my infrastructures front door in the shape of Payment Card Industry Data Security Standard (PCI DSS.) At the time, security as it related to PCI was talked about like a new concept. In practice, it turned out to be mostly documenting what was already being done and closing some gaps that, until then, may not have been considered.

Let’s say that again, “in practice, getting PCI Compliant turned out to be mostly documenting the controls that were already in place.” Did we call them controls? Not exactly. For example, was there a password policy? Yes, there sure was, check. Was there a firewall policy? Yes, there sure was. Was the data protected? It was. The details are what make it complicated and also accelerate you from the typical box checking audit into real security, but it is a start. Without a start, the finish is somewhat impossible, so let us be ok initially with the box checking for a moment.

There is a tremendous volume of documentation and checklists out there on becoming compliant, so we will not try and duplicate that. There is also much overlap in the compliance frameworks, and that is good because when you go through one, it will make the next one easier.

For data compliance, if you are considering a move to the cloud, then you are in luck. A benefit from cloud computing is that you have fewer controls to audit. The major cloud providers take over the physical aspects of data security. Meaning, they own the facilities, systems, and infrastructure to host your data. Less controls for you to check! Don’t take this for granted, make sure you get with your cloud provider to get copies of their certifications and compliance docs. Fewer controls to check also can be equated to less $ spent when conducting an audit.

For the protection of the actual data, those same cloud providers that took over your physical controls have empowered you with all of the services needed to implement security. The key here is that you still own data security, thus the shared security model. A key benefit is that the cloud provider has also given you tools needed to automate all of the inspections. Granted, they may not be on a clipboard with a checklist, but the review of all the items on the checklist you are responsible for can now be done with an API call.

While it may be challenging to embrace, it is there. For example, if you take the PCI framework, six goals and twelve requirements as noted on the first page of this document you start to get a feel for this. Yes, it can be simple, and it can be automated. Let’s take just one control as an example:

Build and Maintain a Secure Network. Again, your cloud provider has all the checks necessary around the hardware; you own verification that the networks you manage are secure. For that control, there are two requirements to be met:

  1. Install and maintain a firewall configuration to protect cardholder data. 
    If you use AWS, this accomplished by configuring three items, Virtual Private Cloud (VPC,) EC2 Security Group, and VPC Network ACL. These three configuration items, correctly set, will net you a check in the box for that requirement. Granted, the properly configured aspect is defined by your applications requirements. To address this, you need to ensure that the application is documented, so you can correctly set up the firewall, document it, and now that it is in AWS, automate the inspection.
  2. Do not use vendor-supplied defaults for system passwords and other security parameters. 
    This requirement has two aspects, system passwords, and security settings. You don’t want to use your vendor defaults. If you use AWS, the users, passwords, and policies are established with the Identity and Access Management (IAM) Service. You most likely already have a corporate user, group, password policy practice and IAM allows you to replicate that to the cloud fully. For the second part, it takes a few extra steps to make sure you are not using the vendor provided defaults. Since cloud providers make it easy to use, there are some security gaps that need to be reviewed, mainly around unused resources and open network allow rules. Ideally, you can choose to start fresh new VPCs, with configurations unique to your application, or you can leverage the defaults and lock them down to only what is needed. Either way will net you another check in this box.

Step one on the twelve steps to PCI compliance complete. When you review the referenced PCI document, you can see how taken one step at a time, it is not just possible to be PCI compliant, it is highly likely you are already taken steps in that direction. The benefits of the PCI document is that you do have a checklist that can help validate your work. However, a checklist is not validation that your application is secure. That is an important distinction. The PCI checklist is a good start, but in and of itself does not guarantee security; thus you cannot claim security because you are compliant. To secure your application is a different post.

How often is the checklist checked? In between checks, the environment, is likely undergoing change, so how do you know if you are compliant at any point in time? And while the auditors may not be as interested in it, as a security professional, you are. Again, we look to the cloud for help, because now you can automate your checks just like you automate your deployments. That is correct; you can self-audit with every deployment, several times a day, and on-demand because you are only inspecting the configuration of an item in the cloud. If the item is configured correctly, you pass. If it is not, you need to remediate the issue. Because you have automation, you can remediate any offending item that is not compliant, thus ensure continuous compliance. A buzz word yes, but it is achievable with the tools offered by cloud providers today.

The challenge now becomes do you have time and resources to build the automation for security validation in line with your deployment?

The post Start Compliant, Stay Compliant appeared first on Cloud Sentry Blog.

]]>
../start-compliant-stay-compliant/feed/ 0
Go Continuous or Go Home ../go-continuous-or-go-home/ ../go-continuous-or-go-home/#respond Wed, 23 Nov 2016 18:07:24 +0000 ../?p=1072 Enterprise cloud security certainly doesn’t seem to be getting any more simple. In a typical enterprise, security teams must grapple not only securing their traditional systems, but they must now be concerned with cloud platform security, the security of cloud application services, the APIs that help to glue this all together, mobile security, and increasingly... Read more »

The post Go Continuous or Go Home appeared first on Cloud Sentry Blog.

]]>

Enterprise cloud security certainly doesn’t seem to be getting any more simple. In a typical enterprise, security teams must grapple not only securing their traditional systems, but they must now be concerned with cloud platform security, the security of cloud application services, the APIs that help to glue this all together, mobile security, and increasingly the security of connected devices – and many transactions today flow through the cloud, the data is stored or at least manipulated in the cloud.

If complexity is rising, along with the number of devices, apps, and cloud services – and these aspects of IT are being continuously enhanced and updated – the answer is to ensure that security is just as agile, streamlined, and continuous as the rest of the enterprise. So how do enterprises get started?

First-up, security tools should be optimized for the environment they are securing. Gone are the days of on-premises security servers and appliances unless they are necessary for specific tasks. And there’s no room for slow, closed (no real API to speak of), and proprietary security toolsets. These approaches just aren’t working anymore in today’s environments. They are not agile enough and not extensible enough.

One of the most important security, development, and operations trends to arise in recent years is DevOps and tighter collaboration throughout the enterprise for the better of agility. This makes it much easier for security and DevOps teams to keep their systems secure and for the business to better compete.

But it takes more than that, today. It takes continuous security and compliance monitoring that, much like the cloud systems and app rollouts today, just doesn’t stop. But enterprises can’t go from periodic, occasional security and compliance monitoring to continuous security and compliance monitoring overnight.

At least big enterprises can’t. Certainly, smaller organizations with a few of cloud services and a modest cloud infrastructure will find that setting up continuous security and policy compliance monitoring not very challenging. If it’s a mid-size to large enterprise however it can at first appear overwhelming.

In this case, enterprises can’t just start monitoring everything continuously all at once. The best place to start here might also be where adversaries would start. This could be important apps, servers, or databases that hold valuable client information, perhaps medical, financial account information, or intellectual property. It all depends on the kind of business you are. Pick the most valuable data and systems to your business – or what would be valuable to potential attackers and start to look for ways to continuously monitor and assess these systems.

Initially, the important thing is to just start thinking about ways that mission-critical and systems that manage or store highly-regulated data would be continuously vetted for application and configuration errors and weaknesses. If you aren’t sure what systems these may be and how to prioritize, start working closely with compliance and operations teams, application owners and security teams to help. This way you will best identify the most critical and valuable systems and data and begin your continuous monitoring efforts there.

 

The post Go Continuous or Go Home appeared first on Cloud Sentry Blog.

]]>
../go-continuous-or-go-home/feed/ 0